AI Security Review
scanned 1h ago · by lpm-firewall-aiInstall runs a package-owned license check that contacts centralicons.com with CENTRAL_LICENSE_KEY if present. This is a package-aligned license gate, not a confirmed malicious payload.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install preinstall hook; runtime import renders static icon components
Impact
Potential disclosure of the package-specific license key to the vendor endpoint; no observed credential harvesting beyond that, persistence, destructive action, or remote code execution
Mechanism
license validation POST plus static Qwik icon exports
Rationale
The install-time network behavior is real, but it is limited to vendor license validation using a package-specific CENTRAL_LICENSE_KEY and does not execute remote code or collect unrelated secrets. The library contents are static Qwik icon exports, and scanner hits such as SecretPhrase/Password/CryptoWallet are icon names rather than credential access.
Evidence
package.jsonlicense-check.jsindex.mjsIconAgenticCoding/index.mjsIconSecretPhrase/index.mjsIconPassword/index.mjsIconCryptoWallet/index.mjs
Network endpoints1
centralicons.com/license/check
Decision evidence
public snapshotAI called this Clean at 90.0% confidence as Benign with low false-positive risk.
Evidence for block
- package.json defines preinstall: node ./license-check.js
- license-check.js reads CENTRAL_LICENSE_KEY and POSTs it as Authorization to https://centralicons.com/license/check
Evidence against
- license-check.js only uses a package-specific license env var and package/version metadata
- Network endpoint is package-aligned with homepage/author branding, not an unrelated host
- index.mjs is a static barrel exporting icon modules
- Sample icon modules export Qwik SVG components with no runtime side effects beyond rendering
- No child_process, shell, fs mutation, eval/vm, dynamic require/import, persistence, or AI-agent control writes found
Behavioral surface
EnvironmentVarsNetwork
HighEntropyStringsMinifiedUrlStrings
NoLicense
Source & flagged code
1 flagged · loading sourcepackage.jsonView file
•scripts.preinstall = node ./license-check.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkgFindings
1 High2 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings
LowNo License